Question
When analyzing the Pushwoosh SDK/plugin, there is a security warning: "MD5 is a weak hash known to have hash collisions" or "Use of Risky Cryptographic Algorithms".
Replacing MD5 with a more secure algorithm is mentioned as a potential mitigation.
Answer
Kindly note that the MD5 hash function has been deprecated for uses other than as a non-cryptographic checksum to verify data integrity and detect unintentional data corruption.
The SDK doesn't use MD5 for security purposes.
There are a few places where MD5 is used: DeviceUtils
/GeneralUtils
and PushwooshSharedDataProvider
use MD5 hash of the packageName just in a HWID generation process (in case 2 or more apps with the Pushwoosh SDK are installed). Another usage is for checksum validation of downloaded RichMedia content. Both usage are internal only and not involve any client's data.
Comments
0 comments
Please sign in to leave a comment.